From: Cami (no email)
Date: Mon Aug 01 2005 - 02:39:37 EDT
Wietse Venema wrote:
> Cami:
>
>> Tony Earnshaw wrote:
>>
>>> Ok, it might happen once or even twice if a mailadmin discovered that
>>> he'd made a mistake.
>>
>> This appears to not be a mistake of any kind. You get
>> MTA's that are on roaming/floating ips. In the tests
>> done on my previous mails, legit/genuine MTA's appear
>> to do this very little though.
>
> It may be possible to allow for variation in the host part of
> host.example.com, and to allow any HELO name that resolves to
> the client IP address or its /28 block, and..., and...
Looking further at overnight results, I'm not sure that
is warranted: (these are hosts that bypassed all UCE
restrictions+greylisting):
+-----------------+-------------------------------+------+
| _host | _helo | scnt |
+-----------------+-------------------------------+------+
| 64.56.232.187 | gaydemon.tv | 4 |<- 1
| 202.82.238.6 | balance-001.com | 3 |<- 2
| 202.188.0.162 | av4.tm.net.my | 3 |<- 3
| 199.185.220.223 | priv-edtnes27.telusplanet.net | 3 |<- 4
| 218.80.213.213 | gstcon | 3 |<- 5
| 210.243.166.66 | ep14.udnpaper.com | 3 |<- 6
| 200.59.148.41 | mail2.nuujho.com | 3 |<- 7
| 216.221.81.25 | fep3.cogeco.net | 3 |<- 8
| 64.59.134.9 | pd6mo2no.prod.shaw.ca | 3 |<- 9
| 62.112.145.189 | aroundaboutcars.com | 2 |<- 10
+-----------------+-------------------------------+------+
1-> spam, not on any rbl, not caught by SA
2-> spam, not on any rbl, 95 spam caught by SA, 1 slipped through
3-> ham, not on any rbl, 0 spam, 34 ham, helo's include:
+---------------+-----------------+
| _host | _helo |
+---------------+-----------------+
| 202.188.0.162 | av4.tm.net.my |
| 202.188.0.162 | ipop2.tm.net.my |
| 202.188.0.162 | ipop9.tm.net.my |
+---------------+-----------------+
4-> ham, not on any rbl, 0 spam, 15 ham, helo's include:
+-----------------+-------------------------------+
| _host | _helo |
+-----------------+-------------------------------+
| 199.185.220.223 | priv-edtnes27.telusplanet.net |
| 199.185.220.223 | priv-edtnes28.telusplanet.net |
| 199.185.220.223 | priv-edtnes51.telusplanet.net |
+-----------------+-------------------------------+
5-> spam, listed on 3 rbl's, 5 spam caught by SA, none passed
6-> ham, not on any rbl, 10 ham, 1 spam, helo's include:
+----------------+-------------------+
| _host | _helo |
+----------------+-------------------+
| 210.243.166.66 | ep14.udnpaper.com |
| 210.243.166.66 | ep16.udnpaper.com |
| 210.243.166.66 | ep17.udnpaper.com |
+----------------+-------------------+
7-> spam, listed on 4 rbl's, 4 spam caught by SA, none passed
8-> ham, not on any rbl, 20 ham, 0 spam, helo's include:
+---------------+-----------------+
| _host | _helo |
+---------------+-----------------+
| 216.221.81.25 | fep3.cogeco.net |
| 216.221.81.25 | fep4.cogeco.net |
| 216.221.81.25 | fep6.cogeco.net |
+---------------+-----------------+
9-> spam, listed on 2 rbl's, 25 spam caught by SA, 5 passed
10-> spam+ham, not on any rbl, 39 spam caught by SA, 23 passed
So its roughly 50/50 spammers and legit hosts who change their
helo information and still make it past all the restrictions.
Of the legit hosts, none of them appear to use more than 3
unique helo's.
Cami
|
|
|